Recipe 4.8 Searching with an Attribute-Scoped Query

This recipe requires the Windows Server 2003 forest functional level.

4.8.1 Problem

You want to retrieve attributes of objects that have been set in a
multivalued-linked attribute, such as the member
attribute on group objects. An attribute-scoped
query can do this in a single query, instead of the previous method,
which required multiple.

4.8.2 Solution

4.8.2.1 Using a graphical user interface

Follow the steps in
Recipe 4.3 to enable an LDAP control.

Select the Attribute Scoped Query control (you can select controls by
name with the Windows Server 2003 version of LDP). For the Windows
2000 version of LDP, add a control with an OID of
1.2.840.113556.1.4.1504.

For Value, enter the multivalued attribute name (e.g.,
member).

Click the Check in button.

Click OK.

From the menu, select Browse Search.

For BaseDN, type the DN of the object that contains the multivalued
DNs.

For Scope, select Base.

For Filter, enter an LDAP filter to match against the objects that
are part of the multivalued DN attribute.

Click Run.

4.8.2.2 Using a command-line interface

At the time of publication of this book, no CLI tools supported
attribute-scoped queries.

4.8.2.3 Using VBScript

At the time of publication of this book, you cannot use
attribute-scoped queries with ADSI, ADO, and VBScript. In an ADO
search, you can use the ADSIFlags property as part of a Connection object to
set the search preference, but there is no way to set the attribute
that should be matched, which must be included as part of the LDAP
control.

4.8.3 Discussion

When dealing with group objects, you may have
encountered the problem where you wanted to search against the
members of a group to find a subset or to retrieve certain attributes
about each member. This normally involved performing a query to
retrieve all of the members, and additional queries to retrieve
whatever attributes you needed for each member. This was less than
ideal, so an alternative was developed for Windows Server 2003.

With an attribute-scoped query, you can perform a single query
against the group object and return whatever
properties you need from the member's object, or
return only a subset of the members based on certain criteria.
Let's look at the LDAP search parameters for an
attribute-scoped query:

Attribute Scoped Query Control Value

The value to set for this control should be the multivalued DN
attribute that you want to iterate over (e.g.,
member).

Base DN

This should be the DN of the object that contains the multivalued DN
attribute (e.g., cn=DomainAdmins,cn=users,dc=rallencorp,dc=com).

Scope

This should be set to Base.

Filter

The filter will match against objects defined in the Control Value.
For example, a filter of
(&(objectclass=user)(objectcategory=Person))
would match any user objects defined in the
multivalued DN. You can also use any other attributes that are
available with those objects. The following filter would match all
user objects that have a
department attribute equal to
"Sales":
(&(objectclass=user)(objectcategory=Person)(department=Sales))

Attributes

This should contain the list of attributes to return for object
matched in the multivalued DN.